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REMARKS IN SUPPORT OF PRE-APPEAL BRIEF REQUEST FOR REVIEW 

Mail Stop AF 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Dear Sir: 

This is in response to the Office Action mailed January 24, 2006. The following remarks 
are respectfully submitted in support of Applicants' pre- appeal brief request for review filed 
herewith. 

Claims 1-12, 16, and 17 are pending. Claims 1,16, and 17 are independent. Claims 2-12 
depend from claim 1. The Examiner has rejected claims 1-12, 16, and 17 under 35 U.S.C. 103(a) 
as being unpatentable over Porras in view of Beardsley. Applicants respectfully submit that the 
cited references do not estabUsh a prima facie case of obviousness, such that the Examiner 
clearly erred in rejecting the claims as obvious. 

Neither Porras nor Beardsley, either singly or in combination, describes an analysis 
engine configured to "identify a backward time step" in a logfile, "determine that the backward 
time step is associated with an event," and "assign a suspicion value to the event based at least in 
part on the backward time step," as recited in claim 1 . 
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Porras teaches consolidating alerts that are indicative of a common incident. The January 
24, 2006 Office Action, at page 7-8, acknowledges that Porras does not disclose "identify a 
backward time step in the logfile by identifying a first entry for which an associated first log 
entry time is earlier in time than a second log entry time associated with a second log entry 
entered in the logfile prior to the first entry" and asserts that Beardsley teaches "using time 
stamps to correlate data processing event times in connected data processing units" and that "the 
Beardsley et al invention also clearly encompasses the logging of detected intrusions on a host 
system," and that "it would have been obvious. . . to have been motivated to combine the Porras 
et al system. . . with the Bearsley et al teachings." 

Beardsley describes a way to determine an event time on a host clock when the event is 
logged on a peripheral system clock. Li Beardsley, the event has already been detected. A time 
difference between a host and a peripheral system is used to convert the peripheral time to a host 
time, i.e., when host times are not synchronized, the difference between the host time stamp and 
the peripheral time stamp is added to the peripheral time stamp to determine the event time on 
the host clock. Beardsley, column 2, line 47 to column 3, line 4. By contrast, claim 1 recites 
identifying a backward time step, determining that the backward time step is associated with an 
event, and assigning a suspicion value to the event. The backward time step is identified and is 
determined to be associated with an event. For example, the backward time step may reflect an 
attempt by an intruder to camouflage an unauthorized action taken by the intruder by altering the 
system clock, as described in the application at page 83, line 13 to page 85, line 13. Beardsley 
only describes a difference in time between a host and a peripheral system, e.g., due to a lack of 
clock synchronization between the host and the peripheral system, and not a backward time step 
in a logfile as recited in claim 1 . The difference in time described by Beardsley is not associated 
with an event, and is merely used to convert the peripheral time to a host time. 

Neither Porras nor Beardsley describes a backward time step as recited in claim 1 . 
Therefore, the obviousness rejection of claim 1 is not prima facie. As such, claim 1 is believed to 
be allowable. 

Claims 2-12 depend from claim 1 and are believed to be allowable for the same reasons 
described above. 
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Claim 16 recites a method executed by the system of claim 1. Therefore, it is believed 
that claim 16 is also allowable. 

Claim 17 recites program code for carrying out the method of claim 16. Therefore, it is 
beUeved that claim 17 is also allowable. 

Reconsideration of the application and allowance of all claims are respectfully requested 
based on the preceding remarks. 



Respectfully submitted, 
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